Bind 9.1 Question
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Tue Jan 30 01:57:24 UTC 2001
This is not reproducible. i.e. I cut and pasted the acl
and added the allow-* clauses to a working config and
could query via 127.0.0.1.
Are you 100% sure you have restarted named with this exact
configuration?
If it still exists after restarting named log a bug report
with bing9-bugs at isc.org.
Mark
>
> With dig, it gives the same type of responses. Although 9.1 might not
> support it, I was under the impression that nslookup use is decprecated,
> not
> completely removed all together. I'm not too terribly familiar with dig,
> but just typing "dig" at the prompt produces this:
>
>
> [root at news doc]# dig
>
> ; <<>> DiG 9.1.0 <<>>
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28309
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;. IN NS
>
> ;; Query time: 10 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Jan 30 00:11:57 2001
> ;; MSG SIZE rcvd: 17
>
>
> Notice the "REFUSED" part still? This is what I'm having trouble with...
> Again, it's probably really braindead what I'm missing, but I'm not seeing
> it.
>
> If anyone has a look at the named.conf snippet I sent earlier, please tell
> me what option I'm missing or need to axe.
>
> W
>
> On Mon, 29 Jan 2001, Nguyen, Andy wrote:
>
> > nslookup is not supported in Bind 9.1. Use dig instead.
> >
> > -----Original Message-----
> > From: Willis L. Sarka [mailto:wlsarka at the-republic.org]
> > Sent: Monday, January 29, 2001 5:50 PM
> > To: bind-users at isc.org
> > Subject: Bind 9.1 Question
> >
> >
> >
> > Greetings,
> >
> > I have Bind 9.1 up and running successfully, but I have one small problem.
> > I can perform an nslookup query remotely (i.e. not on the smae machine
> > that Bind is running on), and it works just fine. However on the same
> > machine that is running Bind 9.1, when I do a nslookup, I get a "refused"
> > messages. I'm sure this is probably something _really_ that I'm missing,
> > but I've been stuck for a few hours, so here I am.
> >
> > Sample nslookup on machine running bind 9.1:
> >
> > [root at news /root]# nslookup
> > Note: nslookup is deprecated and may be removed from future releases.
> > Consider using the `dig' or `host' programs instead. Run nslookup with
> > the `-sil[ent]' option to prevent this message from appearing.
> > > news.bldr.rtone.com
> > Server: 127.0.0.1
> > Address: 127.0.0.1#53
> >
> > ** server can't find news.bldr.rtone.com.: REFUSED
> > >
> >
> >
> > Messages from the log files:
> >
> > Jan 29 22:45:13.983 security: client 127.0.0.1#2030: query denied
> >
> > Here is my named.conf:
> >
> > acl "internals" { 127.0.0.1; 172.16.0.0/20; 172.16.16.0/24; 172.16.5.0/24;
> > 192.168.253.0/24; };
> >
> > controls {
> > inet 127.0.0.1 allow { localhost; } keys { namedkey; };
> > };
> >
> > key namedkey {
> > algorithm "hmac-md5";
> > secret "tP6O603HGrPW6bV59JV4vw==";
> > };
> >
> > options {
> > auth-nxdomain no;
> > directory "/";
> > pid-file "named.pid";
> > allow-query { "internals"; };
> > allow-recursion { "internals"; };
> > allow-transfer { "internals"; };
> > };
> >
> > logging {
> > channel namedlog {
> > file "var/log/named.log" versions 5 size 2m;
> > print-time yes;
> > print-category yes;
> > };
> > category xfer-out { namedlog; };
> > category panic { namedlog; };
> > category security { namedlog; };
> > category insist { namedlog; };
> > category response-checks { namedlog; };
> > };
> >
> > //
> > // a caching only nameserver config
> > //
> > zone "." {
> > type hint;
> > file "named.ca";
> > };
> >
> > zone "0.0.127.in-addr.arpa" {
> > type master;
> > file "named.local";
> > };
> >
> > zone "rtone.com" {
> > type master;
> > file "db.rtone.com";
> > };
> >
> > zone "bldr.rtone.com" {
> > type master;
> > file "db.bldr.rtone.com";
> > };
> >
> > zone "dnvr.rtone.com" {
> > type master;
> > file "db.dnvr.rtone.com";
> > };
> >
> > zone "smartpoint.com" {
> > type master;
> > file "db.smartpoint.com";
> > };
> >
> > .... more reverse zones, etc...
> >
> >
> >
> > I know the logging section needs work.
> >
> >
> > Rndc is working just fine on the nameserver box, if that matters, and
> > named starts and runs fine.
> >
> >
> > Again, any help is appreciated. This is the last step before I convert
> > from Bind 8.2.2_P7 to Bind 9.1. I'd like to never again worry about a
> > Bind 8.x buffer overflow, or root exploit.
> >
> > Thanks,
> > Will Sarka
> >
> >
> >
> >
>
> --
> ---------------------------------------------
> Those, who would give up essential liberty to
> purchase a little temporary safety, deserve
> neither liberty nor safety.
>
> -Ben Franklin
> Historical Review of Constitution and
> Government of Pennsylvania
> ---------------------------------------------
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list